Add RBAC scope and new defaults setting support for Nova & Tempest
Nova is ready with the scope and new defaults as per the new
RBAC design. Adding devstack flag to enable the scope checks
and new defaults enforcement in nova side.
Change-Id: I305ea626a4b622c5534d523f4b619832f9d35f8d
diff --git a/lib/nova b/lib/nova
index 8e8ea8a..63c6a86 100644
--- a/lib/nova
+++ b/lib/nova
@@ -97,6 +97,12 @@
METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775}
NOVA_ENABLE_CACHE=${NOVA_ENABLE_CACHE:-True}
+# Flag to set the oslo_policy.enforce_scope and oslo_policy.enforce_new_defaults.
+# This is used to switch the compute API policies enable the scope and new defaults.
+# By Default, these flag are False.
+# For more detail: https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
+NOVA_ENFORCE_SCOPE=$(trueorfalse False NOVA_ENFORCE_SCOPE)
+
if [[ $SERVICE_IP_VERSION == 6 ]]; then
NOVA_MY_IP="$HOST_IPV6"
else
@@ -481,6 +487,10 @@
NOVA_ENABLED_APIS=$(echo $NOVA_ENABLED_APIS | sed "s/,metadata//")
fi
iniset $NOVA_CONF DEFAULT enabled_apis "$NOVA_ENABLED_APIS"
+ if [[ "$NOVA_ENFORCE_SCOPE" == "True" || "$ENFORCE_SCOPE" == "True" ]]; then
+ iniset $NOVA_CONF oslo_policy enforce_new_defaults True
+ iniset $NOVA_CONF oslo_policy enforce_scope True
+ fi
if is_service_enabled tls-proxy && [ "$NOVA_USE_MOD_WSGI" == "False" ]; then
# Set the service port for a proxy to take the original
iniset $NOVA_CONF DEFAULT osapi_compute_listen_port "$NOVA_SERVICE_PORT_INT"
diff --git a/lib/tempest b/lib/tempest
index 87a2244..b232f24 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -674,6 +674,10 @@
iniset $TEMPEST_CONFIG auth admin_project_name ''
fi
+ if [[ "$NOVA_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
+ iniset $TEMPEST_CONFIG enforce_scope nova true
+ fi
+
if [[ "$GLANCE_ENFORCE_SCOPE" == True || "$ENFORCE_SCOPE" == True ]] ; then
iniset $TEMPEST_CONFIG enforce_scope glance true
fi